Category: Cisco

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 1
The cloud native wave is coming. Capgemini SE has reported that while only 15% of new enterprise applications are cloud native, adoption will more than double by next year. Its potential as a cloud-based, elastic and resilient service delivery model has appeal in the enterprise information technology world. But cloud native is also still in […]

The post Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer appeared first on SiliconANGLE.

Cisco unveils new tools for CloudCenter so developers can focus on code and logic

Cisco unveils new tools for CloudCenter so developers can focus on code and logic

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 2
As Cisco Systems Inc. continues to build relations with enterprise developers, particularly through its growing DevNet program, the company is paying close attention to what that audience needs. This focus can be seen in how Cisco has enhanced its CloudCenter Suite. Since January, the company made the platform available globally in a software-as-a-service deployment and […]

The post Cisco unveils new tools for CloudCenter so developers can focus on code and logic appeared first on SiliconANGLE.

John Chambers loves his new company and IPOs; he’s less thrilled about U.S. education system

John Chambers loves his new company and IPOs; he’s less thrilled about U.S. education system

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 3
As the chairman of a startup company that just launched out of stealth, John Chambers (pictured), former chief executive officer of Cisco Systems Inc. and CEO of J2 Ventures, is delighted about the prospects for his fledgling business and passionate about the need for educational change in his own country. Led by a number of […]

The post John Chambers loves his new company and IPOs; he’s less thrilled about U.S. education system appeared first on SiliconANGLE.

Not satisfied yet: At 10-year milestone, CEO positions Nutanix for next wave of HCI

Not satisfied yet: At 10-year milestone, CEO positions Nutanix for next wave of HCI

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 4
Most technology executives would be quite satisfied to build a business in 10 years with over 5,000 employees, 14,000 customers, at least $1 billion in annual revenue, and become an established, publicly traded company. Most executives aren’t Dheeraj Pandey. As the chairman and chief executive officer of Nutanix Inc., Pandey (pictured) has guided his firm to […]

The post Not satisfied yet: At 10-year milestone, CEO positions Nutanix for next wave of HCI appeared first on SiliconANGLE.

Multiple networking options: Cisco brings cloud innovation on-premises

Multiple networking options: Cisco brings cloud innovation on-premises

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 5
As Cisco Systems Inc. talks with its customers, it is getting a clear picture of information-technology preferences and an overwhelming sentiment in favor of a networking environment that mixes cloud with on-premises operations. One Cisco executive recently noted in an interview that 90% of its customers intended to deploy a multicloud structure while keeping the […]

The post Multiple networking options: Cisco brings cloud innovation on-premises appeared first on SiliconANGLE.

News at VMworld quietly underscored VMware’s growing enterprise influence

News at VMworld quietly underscored VMware’s growing enterprise influence

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 6
As VMworld wrapped up its fourth and final day, the event left attendees plenty of time to digest the flurry of major acquisition news that preceded the conference and a series of announcements that were rolled out on Monday. The question up for debate: Did the enterprise computing industry gain a better appreciation for VMware Inc.’s […]

The post News at VMworld quietly underscored VMware’s growing enterprise influence appeared first on SiliconANGLE.

The VMworld 2019 IT spending survey: containers, cloud, NSX and Pivotal

The VMworld 2019 IT spending survey: containers, cloud, NSX and Pivotal

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 7
The VMworld 2019 information technology spending survey data shows that while customers continue to invest heavily in VMware Inc.’s products, organizations are doubling down on their public cloud commitments at the expense of incumbent on-premises infrastructure. In addition, the battle for market share amongst enterprise tech companies is heating up as share gains are the most obvious […]

The post The VMworld 2019 IT spending survey: containers, cloud, NSX and Pivotal appeared first on SiliconANGLE.

Focus on multicloud: Analysts discuss VMware’s history and challenges in advance of VMworld 2019

Focus on multicloud: Analysts discuss VMware’s history and challenges in advance of VMworld 2019

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 8
A little over six years ago, top executives from VMware Inc. stood on a Las Vegas stage and, in front of hundreds of partners, expressed incredulity that the company could be outsold by a bookseller. “I look at VMware and the brand reputation we have in the enterprise, and I find it really hard to […]

The post Focus on multicloud: Analysts discuss VMware’s history and challenges in advance of VMworld 2019 appeared first on SiliconANGLE.

Cisco and Microsoft integrate their Kubernetes container platforms

Cisco and Microsoft integrate their Kubernetes container platforms

Cloud native adoption has far reaching implications for enterprise IT, says Cisco engineer 9
Cisco Systems Inc. is teaming up with Microsoft Corp. to make it easier for enterprises to run containerized Kubernetes applications on-premises and in the Azure cloud. In a blog post today, Kip Compton, Cisco’s senior vice president of Cloud Platform and Solutions, said the companies are making it possible to deploy and manage Kubernetes clusters on […]

The post Cisco and Microsoft integrate their Kubernetes container platforms appeared first on SiliconANGLE.

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

IPSec VPN is a security feature that allow you to create secure communication  link (also called VPN Tunnel) between two different networks located at different sites. Cisco IOS routers can be used to setup VPN tunnel between two sites. Traffic like data, voice, video, etc. can be securely transmitted through the VPN tunnel. In this post, I will show steps to Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router. You can also setup Configure IPSec VPN With Dynamic IP in Cisco IOS Router.

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

Diagram below shows our simple scenario. The two sites have static public IP address as shown in the diagram. R1 is configured with 70.54.241.1/24 and R2 is configured with 199.88.212.2/24 IP address. As of now, both routers have very basic setup like, IP addresses, NAT Overload, default route, hostnames, SSH logins, etc.

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

There are two phases in IPSec configuration called Phase 1 and Phase 2. Let’s start the configuration with R1. Before you start configuring the IPSec VPN, make sure both routers can reach each other. I have already verified that both routers can ping each other so let’s start the VPN configuration.

Step 1. Configuring IPSec Phase 1 (ISAKMP Policy)

R1(config)#crypto isakmp policy 5 
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco@123 address 199.88.212.2

Here is the details of each commands used above,

  • crypto isakmp policy 5 – This command creates ISAKMP policy number 5. You can create multiple policies, for example 7, 8, 9 with different configuration. Routers participating in Phase 1 negotiation tries to match a ISAKMP policy matching against the list of policies one by one. If any policy is matched, the IPSec negotiation moves to Phase 2.
  • hash sha – SHA algorithm will be used.
  • authentication pre-share – Authentication method is pre-shared key.
  • group 2 – Diffie-Hellman group to be used is group 2.
  • encryption 3des – 3DES encryption algorithm will be used for Phase 1.
  • lifetime 86400 – Phase 1 lifetime is 86400 seconds.
  • crypto isakmp key cisco@123 address 199.88.212.2 – The Phase 1 password is cisco@123 and remote peer IP address is 199.88.212.2.

Step 2. Configuring IPSec Phase 2 (Transform Set)

R1(config)#crypto ipsec transform-set MY-SET esp-aes 128 esp-md5-hmac
R1(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600

Here is the detail of command used above,

  • crypto ipsec transform-set MY-SET – Creates transform-set called MY-SET
  • esp-aes – AES encryption method and ESP IPSec protocol will be used.
  • esp-md5-hmac – MD5 hashing algorithm will be used.
  • crypto ipsec security-association lifetime seconds – This is the amount to time that the phase 2 session exists before re-negotiation.

Step 3. Configuring Extended ACL for interesting traffic.

R1(config)#ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)#permit ip  192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

This ACL defines the interesting traffic that needs to go through the VPN tunnel. Here, traffic originating from 192.168.1.0 network to 192.168.2.0 network will go via VPN tunnel. This ACL will be used in Step 4 in Crypto Map.

Step 4. Configure Crypto Map.

R1(config)#crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#match address VPN-TRAFFIC
R1(config-crypto-map)#set peer 199.88.212.2
R1(config-crypto-map)#set transform-set MY-SET

Here is the detail of command used above,

  • crypto map IPSEC-STE-TO-STE-VPN 10 ipsec-isakmp – Creates new crypto map with sequence number 10. You can create more sequence numbers with same crypto map name if you have multiple sites.
  • match address VPN-TRAFFIC – Its matches interesting traffic from ACL named VPN-TRAFFIC.
  • set peer 199.88.212.2 – This is public IP address of R2.
  • set transform-set MY-SET – This links the transform-set in this crypto map configuration.

Step 5. Apply Crypto Map to outgoing interface of R1.

R1(config)#int fa0/0
R1(config-if)#crypto map IPSEC-SITE-TO-SITE-VPN
*Mar  1 05:43:51.114: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 6. Exclude VPN traffic from NAT Overload.

R1(config)#ip access-list extended 101
R1(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any
R1(config-ext-nacl)#exit
R1(config)#ip nat inside source list 101 interface FastEthernet0/0 overload

Above ACL 101 will exclude interesting traffic from NAT.

Now, repeat same steps in R2.

Step 1. Configuring IPSec Phase 1 (ISAKMP Policy)

R2(config)#crypto isakmp policy 5
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#exit
R2(config)#crypto isakmp key cisco@123 address 70.54.241.2

Step 2. Configuring IPSec Phase 2 (Transform Set)

R2(config)#crypto ipsec transform-set MY-SET esp-aes 128 esp-md5-hmac
R2(cfg-crypto-trans)#crypto ipsec security-association lifetime seconds 3600

Step 3. Configuring Extended ACL for interesting traffic.

R2(config)#ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)#permit ip  192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 4. Configure Crypto Map.

R2(config)#crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)#match address VPN-TRAFFIC
R2(config-crypto-map)#set peer 70.54.241.2
R2(config-crypto-map)#set transform-set MY-SET

Step 5. Apply Crypto Map to outgoing interface

R2(config)#int fa0/1
R2(config-if)#crypto map IPSEC-SITE-TO-SITE-VPN
*Mar 1 19:16:14.231: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 6. Exclude VPN traffic from NAT Overload.

R1(config)#ip access-list extended 101
R1(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R1(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any
R1(config-ext-nacl)#exit
R1(config)#ip nat inside source list 101 interface FastEthernet0/1 overload

Verification and testing.

To test the VPN connection let’s ping from R1 to PC2.

R1#ping 192.168.2.1 source 192.168.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/54/56 ms

As you can see, the ping from R1 to PC2 is successful. Don’t forget to ping from inside IP address while testing the VPN tunnel from the router. You can also ping from PC1 to PC2.

To verify the IPSec Phase 1 connection, type show crypto isakmp sa as shown below.

R1#show crypto isakmp sa
dst             src             state          conn-id slot status
70.54.241.2     199.88.212.2    QM_IDLE              1    0 ACTIVE

To verify IPSec Phase 2 connection, type show crypto ipsec sa as shown below.

R1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: IPSEC-SITE-TO-SITE-VPN, local addr 70.54.241.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 199.88.212.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 16, #recv errors 0

     local crypto endpt.: 70.54.241.2, remote crypto endpt.: 199.88.212.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xD41CAB1(222415537)

     inbound esp sas:
      spi: 0x9530FB4E(2503015246)
        transform: esp-aes esp-md5-hmac ,

You can also view active IPSec sessions using show crypto session command as shown below.

R1#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 199.88.212.2 port 500
  IKE SA: local 70.54.241.2/500 remote 199.88.212.2/500 Active
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
        Active SAs: 2, origin: crypto map

In this way you can configure Site to Site IPSec VPN tunnel in Cisco IOS Router.